From 2b262ff5d6005b479864c52a36bb56b49dd98a24 Mon Sep 17 00:00:00 2001 From: Daniel Haus Date: Fri, 26 Nov 2021 21:27:25 +0100 Subject: [PATCH] Create setting to allow to trust the system root CAs Previously, when rootCA was set, the trusted system root CAs were ignored. Now, allow for both being able to be configured and used Signed-off-by: Daniel Haus --- connector/openshift/openshift.go | 73 +++++++++++++++------------ connector/openshift/openshift_test.go | 10 ++-- 2 files changed, 47 insertions(+), 36 deletions(-) diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go index 469dbd96..e604dadf 100644 --- a/connector/openshift/openshift.go +++ b/connector/openshift/openshift.go @@ -28,13 +28,14 @@ const ( // Config holds configuration options for OpenShift login type Config struct { - Issuer string `json:"issuer"` - ClientID string `json:"clientID"` - ClientSecret string `json:"clientSecret"` - RedirectURI string `json:"redirectURI"` - Groups []string `json:"groups"` - InsecureCA bool `json:"insecureCA"` - RootCA string `json:"rootCA"` + Issuer string `json:"issuer"` + ClientID string `json:"clientID"` + ClientSecret string `json:"clientSecret"` + RedirectURI string `json:"redirectURI"` + Groups []string `json:"groups"` + InsecureCA bool `json:"insecureCA"` + RootCA string `json:"rootCA"` + IncludeSystemRootCAs bool `json:"includeSystemRootCAs"` } var ( @@ -43,17 +44,18 @@ var ( ) type openshiftConnector struct { - apiURL string - redirectURI string - clientID string - clientSecret string - cancel context.CancelFunc - logger log.Logger - httpClient *http.Client - oauth2Config *oauth2.Config - insecureCA bool - rootCA string - groups []string + apiURL string + redirectURI string + clientID string + clientSecret string + cancel context.CancelFunc + logger log.Logger + httpClient *http.Client + oauth2Config *oauth2.Config + insecureCA bool + rootCA string + includeSystemRootCAs bool + groups []string } type user struct { @@ -73,18 +75,19 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e req, err := http.NewRequest(http.MethodGet, wellKnownURL, nil) openshiftConnector := openshiftConnector{ - apiURL: c.Issuer, - cancel: cancel, - clientID: c.ClientID, - clientSecret: c.ClientSecret, - insecureCA: c.InsecureCA, - logger: logger, - redirectURI: c.RedirectURI, - rootCA: c.RootCA, - groups: c.Groups, + apiURL: c.Issuer, + cancel: cancel, + clientID: c.ClientID, + clientSecret: c.ClientSecret, + insecureCA: c.InsecureCA, + logger: logger, + redirectURI: c.RedirectURI, + rootCA: c.RootCA, + includeSystemRootCAs: c.IncludeSystemRootCAs, + groups: c.Groups, } - if openshiftConnector.httpClient, err = newHTTPClient(c.InsecureCA, c.RootCA); err != nil { + if openshiftConnector.httpClient, err = newHTTPClient(c.InsecureCA, c.RootCA, c.IncludeSystemRootCAs); err != nil { cancel() return nil, fmt.Errorf("failed to create HTTP client: %v", err) } @@ -248,16 +251,24 @@ func validateAllowedGroups(userGroups, allowedGroups []string) bool { } // newHTTPClient returns a new HTTP client -func newHTTPClient(insecureCA bool, rootCA string) (*http.Client, error) { +func newHTTPClient(insecureCA bool, rootCA string, includeSystemRootCAs bool) (*http.Client, error) { tlsConfig := tls.Config{} if insecureCA { tlsConfig = tls.Config{InsecureSkipVerify: true} } else if rootCA != "" { - tlsConfig = tls.Config{RootCAs: x509.NewCertPool()} + if !includeSystemRootCAs { + tlsConfig = tls.Config{RootCAs: x509.NewCertPool()} + } else { + systemCAs, err := x509.SystemCertPool() + if err != nil { + return nil, fmt.Errorf("failed to read host CA: %w", err) + } + tlsConfig = tls.Config{RootCAs: systemCAs} + } rootCABytes, err := os.ReadFile(rootCA) if err != nil { - return nil, fmt.Errorf("failed to read root-ca: %v", err) + return nil, fmt.Errorf("failed to read root-ca: %w", err) } if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) { return nil, fmt.Errorf("no certs found in root CA file %q", rootCA) diff --git a/connector/openshift/openshift_test.go b/connector/openshift/openshift_test.go index 6280b831..d119fe80 100644 --- a/connector/openshift/openshift_test.go +++ b/connector/openshift/openshift_test.go @@ -70,7 +70,7 @@ func TestGetUser(t *testing.T) { _, err = http.NewRequest("GET", hostURL.String(), nil) expectNil(t, err) - h, err := newHTTPClient(true, "") + h, err := newHTTPClient(true, "", false) expectNil(t, err) @@ -128,7 +128,7 @@ func TestVerifyGroup(t *testing.T) { _, err = http.NewRequest("GET", hostURL.String(), nil) expectNil(t, err) - h, err := newHTTPClient(true, "") + h, err := newHTTPClient(true, "", false) expectNil(t, err) @@ -164,7 +164,7 @@ func TestCallbackIdentity(t *testing.T) { req, err := http.NewRequest("GET", hostURL.String(), nil) expectNil(t, err) - h, err := newHTTPClient(true, "") + h, err := newHTTPClient(true, "", false) expectNil(t, err) @@ -198,7 +198,7 @@ func TestRefreshIdentity(t *testing.T) { }) defer s.Close() - h, err := newHTTPClient(true, "") + h, err := newHTTPClient(true, "", false) expectNil(t, err) oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{ @@ -237,7 +237,7 @@ func TestRefreshIdentityFailure(t *testing.T) { }) defer s.Close() - h, err := newHTTPClient(true, "") + h, err := newHTTPClient(true, "", false) expectNil(t, err) oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{